The Cyber Academy
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of The Cyber Academy
The Cyber Academy
The Cyber Academy is a progression of three courses designed to impart a strong foundation of offensive and defensive information security skills in 34 weeks of full-time study. Development of the 100% project-based, learn-by-doing program was funded, in part, by the Department of Defense (under agreement C5-16-0023), and the curriculum was designed in conjunction with DoD-selected experts. Students work through 20 tasks (spending 1-2 weeks per task) online in a private cloud environment with help, advice, and feedback from a knowledgeable mentor and extensive online learning resources. The tasks are embedded in the realistic, but fictional, context of work as an entry-level employee of a government cyber operations agency. In addition to the task-based curriculum, an implicit curriculum runs throughout the program via which students learn and practice the cognitive skills essential for success in all areas of information security. These include:
Understanding complex, novel problems Effectively researching solutions Designing and testing solutions Making evidence-based decisions Communicating effectively with stakeholders Self-directed learning
Given the constantly changing nature of threats and challenges, these skills are arguably of equal or greater importance than the task-specific skills students learn. Students must pass each successive course to be eligible to continue.
Immediate Immersion 2021
Course Overview The field of Information Security deals with the ever-growing volume of threats to businesses and government entities. While hardening computer and network infrastructure with patching, firewalls, and intrusion protection systems is important, those tools will probably never stop the threats completely. Adept individuals are needed to monitor the security tools, watching for threats that bypass the automated protections. The analysts in the Security Operations Center (SOC) are the last line of defense. The SOC tries to detect and remediate threats that make it past the protections. The SOC analyst role has traditionally been an entry-level position, but a great deal of knowledge and skills are necessary for success. The success of a SOC is difficult to measure since attackers and attacks never stand still: Everything is a moving target. Success is typically measured by reducing organizational risk by detecting, remediating, and automatically preventing future instances of known attacks. In reality, this is far beyond the capability of most SOCs today. And to make matters even worse, SOC analysts rarely have the tools, tactics, procedures, or training to deal with all the threats that can affect organizations today. Nobody wants to admit how difficult the struggle is, which means it’s difficult to even get the conversation going. Qualifications for entry-level SOC analysts are problematic because most applicants have little if any training in information security. Realistically, an entry-level SOC analyst can only be expected to be passionate about security and have some networking background – which happen to be the prerequisites for this course. In this six-week "on-ramp" course, you will be working at a managed security service provider that provides outsourced information security services to a range of clients. You will investigate alerts by analyzing network traffic. We have designed this course to provide you with initial experience analyzing and understanding what alerts mean through three realistic hands-on tasks. (Future courses will deal with log analysis, malware analysis, digital forensics, and incident response.) Immediate Immersion 2021 includes the following tasks: 1. Exploit a website and fix its vulnerabilities
Students learn to think like attackers. They investigate a defense contractor’s website surreptitiously, fix a vulnerability, and remove malware. To accomplish this, they must use an LFI exploit uncovered by human intelligence to access to the webserver themselves and then crack the
webmaster’s encrypted password, so they can remove the malware and patch the vulnerability that left the system open to attack. OBJECTIVE: Think like an attacker OBJECTIVE: Exploit a website using a local file inclusion vulnerability OBECTIVE: Crack a password OBJECTIVE: Determine if a website has embedded malware OBJECTIVE: Conduct online technical research OBJECTIVE: Patch the code of a website to eliminate a local file inclusion vulnerability
2. Investigate an insider threat
You receive a report that an employee had unusual text on his screen which didn’t seem to be work related. The company’s security team captured a recording of that employee’s network traffic from the time of the report. Your task is to use two traffic analysis tools to determine what the employee was doing. Was his activity benign—or was this evidence of an insider attack? OBJECTIVE: Conduct an investigation of a cybersecurity incident OBJECTIVE: Analyze network traffic using NetworkMiner OBJECTIVE: Analyze network traffic using Wireshark
3. Analyze suspicious network traffic
You will analyze suspicious network traffic moving in and out of a US military aide’s personal laptop. Using packet capture (PCAP) files, you will determine if it was infected by malware and if so what malware and how the infection occurred. OBJECTIVE: Analyze suspicious network traffic in a PCAP using Snort and Wireshark. OBJECTIVE: Recognize a cushion redirect in network traffic. OBJECTIVE: Recognize the identifying features of a specific exploit kit. OBJECTIVE: Recognize a malware payload being transferred to a targeted host.
Who Should Enroll Students who wish to explore a career in cybersecurity to determine if it is right for them. The ideal student is intensely curious, unwilling to give up on a problem no matter how difficult it is, and predisposed towards self-directed learning.
Learning Outcomes Students will learn will learn and practice key SOC analyst skills including:
Conducting online technical and open source intelligence research Analyzing and verifying Snort alerts Distinguishing between true and false positive alerts Analyzing packet capture (PCAP) files Analyzing suspicious user behavior Identifying vulnerabilities based on vulnerability scans Distinguishing between attacks and vulnerability scans Identifying open ports using scanners such as NMAP, Nikto, and WPScan Identifying OS/Application fingerprints Analyzing attacks that employ exploit kits.
Prerequisites
1. Only basic computer skills are required, but basic knowledge of computer networks, protocols, and the fundamentals of operating systems is strongly recommended.
2. Taking and passing a free pre-assessment is REQUIRED before students are
allowed to register for this program. If students have an IT background, they can ask to be exempted from this requirement. For more information about the pre-assessment, please click here.
Additional Info Textbook: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, 3rd Edition by Chris Sanders is highly recommended for this course (ISBN-13: 978-1593278021). It can be ordered from nostarch.com (purchases made from nostarch.com include a full-text searchable ebook version of the text, available for download immediately after purchase) (Links to many additional online learning resources are provided within the course, specific to each task.) Students must successfully complete Immediate Immersion 2021 to be permitted to enroll in the next course in this program, The Cyber Academy: Defense. Success will be assessed by a student’s mentors whose decision is final.
The Cyber Academy: Defense
Course Overview The Cyber Academy: Defense builds on the defensive skills and experience students gained in Cyber Attack and Defense: Immediate Immersion 2020. The course is designed to impart a strong foundation of defensive information security skills in 13 weeks of study at 25 hours per week, preparing students for entry-level careers as security operations center analysts and digital forensics analysts. Students work through 6 online real-life tasks (spending 1-2 weeks per task) in a private cloud environment with help, advice, and feedback from a knowledgeable mentor and extensive online learning resources. The tasks are embedded in the realistic, but fictional, context of work as an entry-level employee of a government cyber operations agency. The Cyber Academy: Defense includes the following tasks: 1. Analyze a remote intrusion attempt
A security operations center analyst has seen evidence of a password cracking attempt within a key network. Students analyze a packet capture file (PCAP) and event logs within a security information and event management system (the Splunk SIEM) to determine if any passwords were compromised and if the network was breached as a result. The student must also identify which tools were used by the attacker and which steps should be taken to safeguard specific hosts in the network from similar cracking attempts in the future. OBJECTIVE: Analyze suspicious network traffic in a PCAP using Wireshark. OBJECTIVE: Analyze network and system logs using Splunk OBJECTIVE: Cross-correlate events seen in a PCAP with events seen in logs OBJECTIVE: Recognize a Hydra brute-forcing attack OBJECTIVE: Determine if a brute-forcing attack has been successful Tasks 2 through 6 are set in the context of a single complex cyber attack.
2. Investigate an incident using a SIEM Students analyze a possible “watering hole” attack in which clicking on a malicious link embedded in an otherwise legitimate website launches an exploit kit that infects a user’s machine with a “banking trojan.” To accomplish this, they must analyze multiple logs within the Splunk SIEM. OBECTIVE: Analyze network and system logs using Splunk
OBJECTIVE: Pivot among multiple logs using Splunk’s search facilities OBJECTIVE: Identify possible indicators of compromise OBJECTIVE: Determine if devices are likely to have been infected using indicators of compromise OBJECTIVE: Tentatively identify the malware used and the intent of the attack
3. Begin to understand malware Students use a “hash” of a possible malware-containing file to conduct research using VirusTotal, online sandboxes, and open source intelligence sources to determine specific indicators of compromise to guide forensic analysis of memory and file system images of infected devices. OBJECTIVE: Use VirusTotal to identify a malware sample OBJECTIVE: Use advanced features of VirusTotal to learn detailed information about a malware sample OBJECTIVE: Use the HybridAnalysis sandbox to perform static and dynamic analysis of a malware sample OBJECTIVE: Use open source threat intelligence to learn more about specific malware
4. Examine a compromised host’s memory Students perform a forensic examination of a memory image taken from a computer to identify sophisticated malware that infected the system. OBJECTIVE: Acquire a working knowledge of process structures in memory using Volatility OBJECTIVE: “Know normal to find evil” OBJECTIVE: Formulate plan for a memory forensics investigation OBJECTIVE: Recognize malware “footprints” in a forensic memory image OBJECTIVE: Locate a malicious binary in a forensic memory image OBJECTIVE: Corroborate findings with other sources such as [Splunk] SIEM logs OBJECTIVE: Identify malware actions such as privilege escalation and browser hooking
5. Conduct a forensic disk examination Students perform disk forensics on an infected system. By analyzing an image of the computer’s file system, the students are able to identify malware infections and to create a timeline for the attack. OBJECTIVE: Analyze a forensic disk image and identify indicators of compromise using Autopsy. OBJECTIVE: Generate a timeline of suspicious events in a forensic disk image. OBJECTIVE: Determine how a device was infected and what malware variant was
used
6. Close your investigation Students are asked to conclude their investigation by compiling a timeline for the attack and writing a comprehensive report for technical and non-technical stakeholders. OBJECTIVE: Cross-correlate information from a range of sources OBJECTIVE: Combine information from a range of sources into a comprehensive report OBJECTIVE: Communicate a complex story effectively to technical and non-technical audiences.
Who Should Enroll Students who have successfully completed cyber academy: Immediate Immersion and who aspire to professional careers in defensive cyber security.
Learning Outcomes Students will learn to:
Analyze network traffic Analyze network and system logs using a security information and event
monitoring system Cross-correlate log information and network packet traffic Use online sandboxes for static and dynamic analysis of malicious executable
files to identify indicators of compromise Use threat intelligence Identify malware Perform memory forensics Perform disk forensics Compile a comprehensive timeline of a cyber attack Report appropriately to technical and non-technical stakeholders
In addition to the task-based curriculum, an implicit curriculum runs throughout the course via which students will learn and practice the cognitive skills essential for success in all areas of information security. These include:
• Understanding complex, novel problems • Effectively researching solutions • Designing and testing solutions • Self-directed learning
Prerequisites Successful completion of cyber academy: Immediate Immersion. Only basic computer skills are required, but basic knowledge of computer networks and protocols and the fundamentals of operating systems is strongly recommended.
The Cyber Academy: Attack (Reverse Engineering and Exploitation)
Course Overview The Cyber Academy: Attack focuses on key offensive skills. This 15 week program, requiring 25 hours of work per week, will start students on the path to becoming penetration testers or offensive cyber operations professionals. Development of the program was funded, in part, by the United States Department of Defense, and the curriculum was designed in conjunction with DoD and industry experts. In the project-based, learn-by-doing curriculum of The Cyber Academy: Attack, students work through eleven tasks online in a private cloud environment with constant help, advice, and feedback from knowledgeable mentors and extensive online learning resources. The tasks are embedded in the realistic, but fictional, context of work as an entry-level employee of a government cyber operations agency.
1. Analyze a suspicious file
Students analyze a suspicious binary file from a laptop confiscated from a
cyber-crime scene. They learn how to use basic reverse engineering to
crack a password-protected binary so they can run the program and gain
access to a cybercrime group’s Internet Relay Chat (IRC) channel. They
then eavesdrop on online conversations, and start compiling intelligence on
the crime group’s actors and connections.
OBJECTIVE: Perform static analysis of unknown executable files using IDA
Pro
OBJECTIVE: Create a “hacker persona”
OBJECTIVE: Conduct open source intelligence gathering by accessing and
eavesdropping on IRC conversations
2. Analyze a related suspicious file
Students now reverse engineer a more complex binary confiscated from a
ransomware attacker’s computer. This time, they must crack an encrypted
password to gain access to another protected IRC channel, which yields
login credentials for the crime group’s FTP server.
OBJECTIVE: Perform static analysis of unknown executable files using IDA
Pro and Relyze
OBJECTIVE: Create a “hacker persona”
OBJECTIVE: Conduct open source intelligence gathering by accessing and
eavesdropping on IRC conversations
3. Analyze the FTP credentials app
Students must now reverse engineer a binary and crack a doubly-
encrypted password in order to access a file that identifies the website of a
small defense contractor that is vulnerable to a local file inclusion exploit
and was also infected with malware by the crime group or another actor.
OBJECTIVE: Perform static analysis of unknown executable files using IDA
Pro and Relyze
OBJECTIVE: Perform dynamic analysis of unknown executable files using IDA
Pro
4. Conduct OSINT analysis
Students infiltrate a Russian cyber crime network by logging into an
eastern European social media site using stolen credentials. They mask
themselves as a member of the Russian crime group and gather intelligence
about the group members and their connections from the posts on the
social media site (which is a facsimile of the Russian “Facebook” site VK.ru
filled with authentic posts in Russian). Students also develop a realistic
persona which they will use while undercover within the group.
OBJECTIVE: Conduct open source intelligence gathering via social media
OBJECTIVE: Analyze foreign language material using Google Translate
OBJECTIVE: Map the power and status relationships within an organization
5. Develop buffer overflow exploits
The student goes undercover to infiltrate the cyber crime group. The crime
group’s leader asks students to execute a remote buffer overflow exploit on
a vulnerable server to prove their worth to the crime group they are
infiltrating. The student’s government boss permits them to perform this
exploit in order to strengthen the relationship with the crime group so they
can continue gathering important intel about them. The student’s attack
provides the crime group a persistent foothold on the targeted computer.
OBJECTIVE: Conduct simple and complex buffer overflow exploits
OBJECTIVE: Use OllyDbg and Immunity Debugger for exploit development
OBJECTIVE: Control data execution prevention and structured exception
handler overwrite protection on a Windows host
OBJECTIVE: “Fuzz” a server
OBJECTIVE: Generate and deploy a reverse_TCP shell using a buffer overflow
exploit (Metasploit/MSFVenom/Meterpreter)
OBJECTIVE: Use MSFConsole to interact with an active exploit
6. Strengthen a buffer overflow exploit
The crime group now asks the students to strengthen their last exploit
because a recompilation of the server’s code has apparently turned on data
execution prevention (DEP). They need to re-implement the exploit using
return-oriented programming (ROP) so it works well in the altered
environment.
OBJECTIVE: Troubleshoot a deployed exploit that stops working
OBJECTIVE: Use return-oriented programming to exploit an application
compiled with data execution prevention
OBJECTIVE: Generate and deploy a reverse_TCP shell using return-oriented
programming
OBJECTIVE: Use MSFConsole to interact with an active exploit
7. Evade antivirus
The student’s boss explains that “off-the-shelf “Metasploit payloads (which
students have been using until now) are typically recognized by most
antivirus software. He asks the students to experiment with a variety of
ways to obscure such payloads to evade detection.
OBJECTIVE: Generate malicious payloads that will evade antivirus detection
using Metasploit-based and other techniques
OBJECTIVE: Test malicious payloads using online services without exposing
the payloads to scrutiny by the information security community
8. Develop a custom malware payload
The Russian hacker group asks the students to design a custom payload for
them. Students must deliver working shellcode that deletes Windows
security logs.
OBJECTIVE: Write a custom exploit
OBJECTIVE: Generate a shellcode payload
OBJECTIVE: Deploy a custom shellcode payload via a buffer overflow exploit
9. Spearphish a company
The crime group asks the students, working undercover, to gain access into
a defense contractor’s network through a spearphishing attack on an HR
person’s machine. Posing as a job applicant, students create a fake persona
and resume, which is infected with a custom payload, reply to the job
posting, infect the HR person’s machine, and gain a persistent foothold in
the company’s network.
OBJECTIVE: Craft a realistic fake persona
OBJECTIVE: Generate an infected document
OBJECTIVE: Configure an email client
OBJECTIVE: Execute a spearphishing attack
OBJECTIVE: Establish persistence on a target machine
10. Exploit a company’s database
Working undercover in the crime group and using the persistent foothold
gained on an HR person’s machine, students access the company’s
personnel database using SQL injection and exfiltrate data (which is
scrubbed before passing it on to the crime group).
OBJECTIVE: Test a database for common (OWASP) vulnerabilities
OBJECTIVE: Exploit a database using SQL Injection
OBJECTIVE: Exfiltrate data
11. Attack a nation-state
Human intelligence determines that the cyber crime group is connected to
a Russian security agency. On behalf of the US government, students
spearphish the leader of the crime group, use a keylogger to obtain his
login credentials, and then surreptitiously log into his computer. Using
access provided by the crime boss’s computer, they then gain a foothold on
a Russian intelligence officer’s machine. Students exploit a vulnerability in
a Python framework to gain access to a C2 database of classified
information from which they exfiltrate a key document.
OBJECTIVE: Plan a complex attack
OBJECTIVE: Execute a spearphishing attack
OBJECTIVE: Establish persistence on a target machine
OBJECTIVE: Conduct reconnaissance on an exploited target machine
OBJECTIVE: Fingerprint a server to determine vulnerabilities
OBJECTIVE: Exfiltrate data
Who Should Enroll Students who have successfully completed the Cyber Academy: Defense and who want to learn more about the “attack side” of cyber security and cyber operations.
Learning Outcomes Students will learn to:
Reverse engineer unknown binary (executable) files using static and dynamic analysis
Conduct open source intelligence Exploit server and application software using buffer overflow exploits and
return-oriented programming Exploit database systems using SQL injection Develop custom shellcode exploits Evade antivirus software Spearphish a trusting victim Plan and conduct a complex cyber attack Pivot through a network Exfiltrate data
In addition to the task-based curriculum, an implicit curriculum runs throughout the program via which students will learn and practice the cognitive skills essential for success in all areas of information security. These include:
Understanding complex, novel problems Effectively researching solutions Designing and testing solutions Self-directed learning
Prerequisites Successful completion of the Cyber Academy: Defense.
Additional Info